Comment by mrweasel
4 days ago
As many IT people in Denmark is pointing out, it's not really about replacing Office and Windows, it's all the surrounding infrastructure that will be the main issue.
Are these Linux machines going to authenticate against the Azure Active Directory, maybe just a local Active Directory, or are the IT department going to run a separate service in parallel? Are they moving away from Exchange Server... probably not, given that it's half of the staff. Are they using Intune, if so what's the replacement strategy where?
My guess is that many of these staff members are going to use webmail and run Windows programs in remote desktop. The investments in the infrastructure isn't high enough, nor have they addressed any of the hard problems and the time frame is rather short. I doubt any significant money and time has been set aside for training.
It is going to end in complete failure, the employees are going to complain about lost productivity and a frustrating work environment. They are setting themselves up for complete failure.
The same is happening in a number of schools, where Linux and LibreOffice is set to replace ChromeBooks for some students. The expectation is that the cost is going to be €2.25M per year, for the next two years, then there will be a cost saving of €4-5M. Again no plans for handling authentication, email, file sharing or provisioning. They'll just force the students out of the relatively protected Google Workspace for Students, into the "real" Google/Gmail ecosystems where they are less protected against data mining.
This will all end badly and it will be because of poor planning. Then the next US president steps in, calms things down and we forget the whole thing in 2 years.
I'm currently working at a large public institution in Norway.
Half the team runs Linux, and the only real constraint is using Edge for SSO. (Firefox works too - you just have to actually log in like it's 2008.)
Honestly, everything else runs smoother than what my Windows-using teammates are dealing with.
That is probably just a setting missing from your Firefox profile that allows your company Kerberos realm/domain. If your institution hasn't locked down your Firefox config, you can fix this yourself: https://docs.redhat.com/en/documentation/red_hat_enterprise_...
I suspect nowadays it's more likely a matter of integrating with Microsoft's "identity broker", part of Intune, aka "Company Portal".
You use Intune to log in and register your device against your Microsoft account, and microsoft-identity-broker is a DBus service that hands out tokens that can be passed to login.microsoft.com (either as a cookie or a special header) which identifies you (skipping the username/password login) and allows you to pass the company device test.
I was able to put together a working ad-hoc extension for Firefox to make the DBus call and pass the header, though I've since come across this extension (haven't tried it myself) which looks like it achieves the same thing (with a lot more features, based on the code size?):
https://github.com/siemens/linux-entra-sso
Edge on Linux seems to have this built in, so if you open any page on login.microsoft.com, you'll see it passing some "x-something" header with a token that it receieved from the identity broker (generated on each page load).
2 replies →
It’s really not. Edge bundles a number of authentication libraries with the Linux version that enable things like remote passkey support.
5 replies →
I feel reasonably confident that if the focus is on open tooling and sovereignty and not saving money then a shift to Linux can 100% work even at large and complex organizations.
This sounds really interesting. Are you able to share more about this (even in private) for inclusion in https://eu-os.eu/use-cases ?
>Half the team runs Linux, and the only real constraint is using Edge for SSO. (Firefox works too - you just have to actually log in like it's 2008.)
So everything in the backend is still MS? Office 365, Intune, the full stack? That is the point of the comment you are rerplying to.
The "terminals" dont matter that much if the goal is to get rid of MS dependancy and they run Office 365... whats the point.
Windows licensing cost. They are a pretty penny at large scale.
2 replies →
> using Edge for SSO
May I ask what that SSO solution is? Because it sounds like it might be a Microsoft product.
Yeah, probably is. I see the same HTTP Auth login when accessing my employers intranet (Sharepoint) from Firefox.
Honestly, I’m not entirely sure.
I’ve seen the name Forgerock pop up occasionally, but I don’t know if that’s just tied to the login component on the web pages. Also, they recommend Mac users stick with Safari, which is puzzling. I mean: if it was a Microsoft product, you’d think they’d lock it down to Edge on Mac too—so that makes me wonder.
Just my thoughts—could be totally off base.
2 replies →
kerberos is sort of magic when/if you finally get it working
I hope all employees will use their experience to make a success of this project. Switching to Linux and ditching Micro$oft should be priority of each European country.
I hope so too, but I fear that the implementation is rushed and won't yield the positive results it could have.
That's what the EU OS project is also about! https://eu-os.eu
3 replies →
I have a related experience. Our project was moving from Office 365 to Google Workspace. Lot's of Windows PCs replaced with Chromebooks.
Over a year after completion, many users still have Excel and we do lots more app virtualization. I will say the biggest hurdle that still remains today, users accepting and adjusting to change. The migration also exposed lots of unknown user-created processes that no longer worked as usual, making it difficult for them to transition.
Overall, most users made the necessary adjustments, did the training provided, and are excelling. There's always that subset that can't, or maybe won't.
If those users have to work with large spreadsheets then Google Workspace is simply nonfunctional. I've tried to use Google Sheets but it hangs and never finishes recalculations that Excel completes in seconds.
Absolutely have run into that. In those instances they keep excel, or we move that data to a different platform for consumption.
Entra (prev AAD) can be replaced by literally any other OAuth provider for SSO - shibboleth is an on-prem option.
Traditional AD is harder to replace, but OpenShift’s IdP has an AD server mode that is capable of many use-cases; the cases it doesn’t do are GPO, Windows Update forcing, and other stuff no longer relevant on linux.
Are they moving away from Exchange Server? I’d hope so, MTAs are a dime a dozen in linux land. There’s a dozen homegrown alternatives for calendar + mail, from ProtonMail to running Exim + caldav.
The rentier companies may have “extended” the open source backing, but you’re not missing much except marketing.
Or maybe Microsoft is terrified that it will work? Then Bill Gates would not be able to do his 345th pledge of "I will give away all my money..."
https://www.freeipa.org/
"Manage Linux users and client hosts in your realm from one central location with CLI, Web UI or RPC access. Enable Single Sign On authentication for all your systems, services and applications."
https://www.keycloak.org/
"Open Source Identity and Access Management"
FYI Bill Gates stepped down as CEO in 2000.
"Bill Gates never left" - https://www.businessinsider.com/bill-gates-still-pulling-str...
"...In fact, Business Insider has learned, Gates has been quietly orchestrating much of Microsoft's AI revolution from behind the scenes. Current and former executives say Gates remains intimately involved in the company's operations — advising on strategy, reviewing products, recruiting high-level executives, and nurturing Microsoft's crucial relationship with Sam Altman, the cofounder and CEO of OpenAI..."
1 reply →
[dead]
> Are these Linux machines going to authenticate against the Azure Active Directory... Are they using Intune, if so what's the replacement strategy where?
This comes up all the time when we talk about Linux in corporate deployment. As I have only experience in MS word regarding governance, let me ask this:
- Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word (applying GPO policies)? A tool that can be easily set up and managed and doesn't have to always resort to scripting?
- If there is, why people are not using them?
I'm kind of aware some things are that allow managing Linux machines via Windows AD GPO, but that depends on MS domain there.
Seems like a ripe for a startup to provide open source tool(s) with, say, paid support for the enterprises.
That's depends what you want to do. If you want an all-in-one solution you'd go with the solution of your distribution vendor, e.g. Red Hat IPA/Satellite, SUSE Manager, or Ubuntu Landscape. Linux just plays nicer with ADS than MS Windows with any Linux solution, so most fall back to ADS in mixed environments.
If you only want Identity, Policies and Audit trails over several different Linux distributions, FreeIPA is your weapon of choice. It is clicky and requires no scripting. Just like ADS it is a bit of a pain to get into, but easier to run than OpenLDAP ;) If you want OpenID, too, connect FreeIPA and Keycloak, but you will need to dive onto the CLI. For configuration management connect Saltstack, here you have to edit rules files.
As someone who's career has involved managing large numbers of deployed Linux and BSD machines: what's wrong with scripting? It's expressive, debugable, repeatable, easy to communicate about verbally and on wikis. If you want something that's more constrained there are tools like puppet and ansible.
I guess this is another one of those "smalltalk people" vs "unix people" talking past eachother because they have shared vocabulary with different implications kind of situations.
Scripting is error prone and requires more skilled admins. Not so great if one wants to deploy Linux as a Desktop OS.
> Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word
You can create fedora-based container images with your specific programs and configs included in the rootfs. The newly created container image will then be used as the rootfs for machines when they upgrade.
See https://universal-blue.org/
Funny thing is that Ubuntu, Suse, and RedHat support gpos now: https://ubuntu.com/blog/new-active-directory-integration-fea...
and then most of the places I know happily allow employees admin access for "just that piece of software they need" and simultaneously push for "zero-trust". There's no point in it at all and you can just as well use saltstack to rollout apparmor-policies on your locked-down linux (and suddenly the same people wanting GPOs tell you that linux is untenable because of usage restrictions)
I’ve done it with Puppet, mostly dropping config files around the place.
Everything was more work than it would’ve been under Windows, from endpoint configuration enforcement through to things like authentication and PKI.
> - Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word (applying GPO policies)? A tool that can be easily set up and managed and doesn't have to always resort to scripting?
Nope, there's no unification in configuration formats (yml, ini etc), locations (/var, /etc, /usr, /opt/etc) or registries (dconf, gconf).
Yes, standards exist, but they are rarely followed to the letter.
If it exists, I expect it would be in Red Hat Enterprise Linux or Ubuntu. Most of us don't use those, though, so I don't expect the knowledge is common.
well for server is nix, but not sure about desktop.
I'd say using Nix is bordering on using scripting. Someone still has to write the method that extracts your Nix configuration into a file.
I see this as a win. It will hopefully prune the incompetent managers/leaders and all the other incompetent tech workers that don't understand there is a world outside of the Microsoft/Google ecosystem.
I want to believe that it is not actual incompetence (and nobody will get pruned) but rather laziness/habit/lack of motivation. I have been in a big org where any issues related to how non-windows systems were integrated were, frustratingly, ignored, even if those systems were supposed to be supported and offered as choices (and indeed chosen by many employees). The IT people working on the servers did not care because in windows everything was working fine, and other departments did not have the actual tools to solve anything. They were asking us if we had any spare computer around they could borrow to test things ffs. I hope such changes bring at least the necessary motivation to engage with such issues seriously.
What required software will be rendered rendered incompatible after switching to Linux and Libre Office? Perhaps the crisis will be a shot across the bow at how IT systems almost-universally make computing a bad experience. Technical software like SolidWorks sometimes has OS-restrictions, but most of what I can think of that would be useful for school is, or should be OS-agnostic.
I suspect that some of the software devs here, especially at small companies, may be insulated from the horror that is government and enterprise computer networks. If that stuff breaks, this will be an improvement for users as long as they can get internet.
I suspect I am looking at this through a mix of optimism and naivite. Or colored by my own experiences.
>I suspect I am looking at this through a mix of optimism and naivite.
For sure.
I agree that the planning does not consider a lot of aspects, but this is not the reason to surrender for big tech. We need more experts and a more sensible plan indeed, that considers the infrastructure, authentication, and so on.
This. Didn't Denmark try this before and fail? Didn't some German town do this and went back?
It's also file compatibility.
But yes, the big thing is AD. AD has been out since 2000 and was/is the standard. If you have/had AD and Group policy you move to AAD and Intune for cloud. There is no competitor to this. Zero.
Munich tried this, then MS moved its German office to Munich.
> They are setting themselves up for complete failure.
Maybe, but as the article states, they already acknowledge the possibility and have a backup plan in place, and, frankly, someone needs to be first.
You could argue that this should not happen on the taxpayers' watch at this department. Yes, maybe some national or EU-level body should actually do the R&D to solve the structural issues around large scale Linux usage so that everyone can benefit. But for now this seems like a reasonable approach for a pretty small organization and a good learning step.
yesterday: I saw the weird CVE for M365 which "exploits" some LLM through messaging embedded in emails.
today: got a very long email, wanted to search for our department in it. Outlook: "Search is a deprecated feature".
Despite all the "but you can't extrapolate to a large org from personal experiences"-FUD around, I think for most orgs (especially governments which are generally far behind on processes) it would be easy to switch from a feature-perspective. The problem is the army of employees and contractors who are very happy to defend Microsoft for keeping their non-automated thiefdoms (such is non-cloud AD administration at most places I extrapolate ....). There is hardly anyone there to implement the necessary processes and rather than to send out their underlings to FOSDEM, leadership is happy to get an invite by Microsoft (or a cloud-provider...) to an "innovation-summit" instead.
I was watching my wife navigate Outlook the other day, I can't believe how bad it's got since I last used it. It was completely unresponsive on brand new hardware. The UI was awful.
Outlook used to be one of the best email clients available. Now it’s essentially the worst imaginable.
We just renewed our 365 licenses at my company for one more year. I’ve been mentally sketching out an exit strategy. I inventoried what we use in 365 and Azure, and there’s not a single thing we can’t replace with an alternative we run or a different provider that’s a bit less hostile to third party ecosystems/standards/etc.
I briefly used MS word recently, and the UI is so different. I found it quite hard to find things.
1 reply →
Outlook has gotten so terrible that the web version is better these days...
Search is a deprecated feature?
I think they may have triggered a wrong search. Smart Lookup in Office is indeed deprecated and labeled Search. So right click on a word in a text, select Search and that will no longer work, but that wasn't searching in your text, but rather online.
1 reply →
Sorry but if you work with Word you can’t complain about a loss of productivity.
People are just accustomed to pain of working with Word.
The change to LibreOffice is way smaller than MSs switch to Ribbon menus
Yes
> They'll just force the students out of the relatively protected Google Workspace for Students, into the "real" Google/Gmail ecosystems where they are less protected against data mining
What? This sounds like there is an observable way of telling that there's different levels of data mining going on in these two spaces, mind sharing the evidence?
There is no data mining/profiling in Googles educational offering (also no ads, which there is in regular Gmail):
> Google Workspace for Education Core Services (like Gmail, Google Calendar, Classroom, and more) have no ads, and student information in Core Services is never used to create profiles for ad targeting, or sold to third parties.[1]
1) https://edu.google.com/intl/ALL_us/our-values/privacy-securi...
Makes sense. Get them used to using Google services, or else someone else will step in and do it.
Same reason Microsoft used to give all sorts of free licenses to students.
There are so many better ways to do this right. But they don't make big news.
Why not rework auth?
Why are you stuck on azure AD?
Why Linux at all in this case if it’s just like RDS?
Honestly just use Azure Virtual Desktops.
[dead]
Linux desktop has terrible security model. Unless they intend to spend significant amount of time hardening the base distro, which also comes with it's own caveats. Windows, for all it's problems, is still a better choice for an enterprise environment
The companies falling to malware and extortion/ransomware would seem to indicate otherwise
What? That is really stupid way to think you're better off using Linux Desktop. Plenty of modern malware versions target pretty much every OS, from windows to mac
3 replies →
It's also just absurd in general since no one who has used LibreOffice can seriously think it is a viable replacement. It can do in a pinch but I imagine the file format incompatibility issues between ms and libre are going to cost more in lost productivity than your number above.
This is a particular brand of take strikes me as lazy. In general, each type of product is going to have some core features that almost everyone needs. And then there's going to be a long tail of features that fewer and fewer users need to make use of the tool effectively. Office tools like LibreOffice and Google Sheets strike a sort of 80/20, where they can build perhaps less than half the features of the totally complete product, but still serve a huge percentage of the market's needs (maybe 95%+, since most users aren't power users).
So when I see critiques of GIMP versus Photoshop, or Linux versus Windows, or LibreOffice versus Microsoft Office, saying "oh, it has fewer features and therefore nobody can take it seriously" it's just reductive, and provides zero useful insight. It's all about the particular needs of the person or organization and how those intersect with the features of the product they're thinking of adopting.
I would go further and say that MS products have completely backwards priorities that lead to an overinflated feature count. What good is fancy formatting in excel if it chokes and crashes once the file hits about 20 MB? Yet despite all this emphasis on form over function over multiple decades of being a flagship product for a multibillion dollar software empire, it still produces plots that are unacceptable for publication and instill bad habits in students.
I'm convinced the people who insist on "features" in these products don't actually use them, because if they did they would realize they suck and are a distraction from a poor core product. It's like people in the US who live in downtown apartments and insist on driving massive overpriced pickup trucks to commute to work and get groceries, never hauling or towing or leaving the pavement. They would be better served by commuter vehicles, but all they've ever driven is show trucks and learning new things is scary. If they did attempt to do real work, they would quickly realize the bed can't hold a standard sheet of plywood.
The important thing is that they FEEL like they have capability at their fingertips, even if this is obviously an illusion to people who actually use those capabilities.
2 replies →
In my past life, we had a mix of Linux users using LibreOffice and MS Windows using Office. It was indeed at times painful, especially when LO content had to be merged into a Word doc.
But too often I think people just think of Word vs Writer but we're talking the Office experience here. Calc is a poor man's version of Excel: I've found it slow with many rows of data and crash-prone (Office is surprisingly solid). Then there is Visio vs Draw. Use Draw for anything complex and you're going to have a really bad time. Us Engineering folk would put together Visio documents all the time and embed them in lengthy technical documents and proposals. Trying to do this in LO is a road to ruin. The Linux folks would either draw diagrams with sticks and boxes or get somebody in Windows to make something decent in Visio.
What we ended up doing was giving a Windows VM with Office on it for those Linux users that needed to produce documents and the like.
1 reply →
The 80/20 rule doesn't apply here because it turns out the "20" is different for everyone. If you take away one critical piece of user or organization's workflow then it doesn't really matter that everything else still works.
For LibreOffice there is still a huge functionality gap in VBA support. This is mission critical in a lot of places.
1 reply →
The only problem I ever had with LibreOffice is that (at the time) there seemed to be some inconsistency when showing some PowerPoint-generated slideshows. I suspect the standard is incomplete and the issue is just a matter of matching the expectations of whatever software was used by the person who generated the slides. So, if the officials switch, it is fine.
Anyway, if the government is generating files that require MS office to open, they are essentially creating an undocumented tax, to be paid to a foreign company. This seems… legally questionable (depending on your local laws of course), and wildly stupid.
Denmark does have a policy of being able to use either docx or odf, but LibreOffice is also known for being able to open older doc files that modern Word struggle with.
I'm not to worried about the LibreOffice part.